We are in the planning stages of upgrading to vSphere 4. We're going to build a new vCenter Server and we're discussing security as it relates to isolating vCenter by subnet. I did some searching for best practices but haven't found any info so far.
Should the vCenter Server be in a different subnet then the ESXi 4.0 Hosts it manages? If so, or not, can anyone point me to documentation about this subject?
Thanks much in advance,
Steve Peck
Portland, OR
The ESX hosts do not have to be in a separate subnet as VC. For added security you can use firewall, VLAN's or iptables.
Mike
If anything, I would put VC on same subnet as the hosts. If they have to go through a firewall to talk, then you have a new dose of ports to manage and the question of firewall rules any time something doesn't work.
If you have multiple nics/IP's on the VC, make sure that the hosts resolv the "inside" or "mgmt" IP address to the VC, so they don't try to connect to it through extra hops.
I don't know of any docs for that info, but there is a hardening guide. iirc, it''s at vmware.com/security .
Thanks msemon1 and danm66 for your responses. Due to some regulatory, compliance, and political concerns we're going to isolate the vCenter Server behind a firewall and task the Network team to create the ACLs which allow it to connect to the Hosts, etc.
Sometimes 'easier' just doesn't cut it.
Steve